Realistically, the world is rapidly moving mobile, but the desktop world of laptops and PCs (and, yes, Macs) isn't likely to vanish for at least five years. But one benefit of a chip-based approach is that it is agnostic regarding mobile or desktop hardware.
Authenticating devices vs. authenticating users
But what are the dangers of authenticating devices rather than users? Yes, authenticating a device is easier. The user needn't do anything to let a site authenticate the device. But what happens when the device is being used by someone else? Some of the device attributes being considered for device authentication could survive a software wipe.
Of course, authenticating users is more disruptive, requiring some kind of biometrics, such as a fingerprint or a facial scan - in security parlance, something you are - or "secret" questions - something you know.
The NCCoE paper presents hypothetical examples of how authentication could work in specific situations, and challenge questions were part of the process in some cases. But the need to answer such questions can make ecommerce too bothersome for many people. Retailers, always looking for a competitive edge, might opt for less security and more convenience.
Sprague comes back to the hardware device-authentication argument. He maintains that a shopper is very likely to notice a missing phone and do so fast. As long as there is an easy and intuitive way for a user to quickly alert authorities that the device is missing and that universal authentication should be shut down, this might work.
Sign up for CIO Asia eNewsletters.